This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to display ACL counters attached to snmp?

How to display ACL counters attached to snmp?

Jim_Keeffe
New Contributor

‎02-24-2014 08:59 PM

I have created an ACL called acl167.pol that has a few IP addresses permited to access the switch via snmp readonly. Here is the ACL: entry e1 { if { source-address 1xx.72.68.38/32; } then { permit; count e1; }} entry e2 { if { source-address 1xx.72.200.158/32; } then { permit; count e2; }} entry e3 { if { source-address 1xx.72.200.194/32; } then { permit; count e3; }} entry e4 { if { source-address 1xx.72.43.0 mask 255.255.255.128; } then { permit; count e4; }} entry denyall { if { } then { deny; count denyall; }} I apply it to snmp here: configure snmp access-profile acl167 readonly Now, I'd like to see if the counters are incrementing but I can't figure out how to do that. Here are a couple more commands to show: Eng_lab_8810A.39 # ls -rw-rw-rw- 1 root 0 398 Feb 24 13:45 acl167.pol -rw-rw-rw- 1 root 0 370165 Feb 24 13:32 primary.cfg drwxrwxrwx 2 root 0 0 Feb 13 18:27 vmt -rw-rw-rw- 1 root 0 6605 Feb 19 08:40 voice_subnet_restriction.pol The other ACL is attached to a vlan and it is the only one that shows up when I do a: Eng_lab_8810A.42 # sh access-list counter Policy Name Vlan Name Port Direction Counter Name Packet Count Byte Count ================================================================== voice_subnet_restriction voice990 * ingress denyallcntr 188456 Eng_lab_8810A.43 # Any idea how I can show the counters for acl167.pol?
0 Kudos
8 REPLIES 8

Jim_Keeffe
New Contributor

‎02-27-2014 03:47 PM

Thanks Ron - I appreciate your time with this. Cheers
0 Kudos

Ron_Huygens
Community Manager Community Manager
Community Manager

‎02-27-2014 07:15 AM

Hi Jim,

I did some further investigation. This may expected behavior, but then we need to be more clear on that in our documentation.
From the documentation it seems that the default counter support is added only for ACL rules and not for policy files. For policy files you must configure count action. The command "show access-list counters process snmp" is however only mentioned at the dynamic rules section.
I still suggest to open a SR for clarification on this topic.

The readonly / readwrite option is only available for use on a policy file.

Thanks,

Ron

0 Kudos

Paul_Russo
Extreme Employee

‎02-26-2014 01:50 PM

Hello Jim

In your first post you use 1.xx in your policy. The xx are not valid options. Did you do a check policy acl167 on your file?

Try changing those settings to actual IP addresses and see if that gives you other results. As Ron said you need to look at the counters per process when using access-profiles

P
0 Kudos

Jim_Keeffe
New Contributor
In response to Paul_Russo

‎02-26-2014 01:50 PM

Hi Paul - I used 1.xx to blank out the real address. In the Policy I used the actual IP. Thanks for pointing that out though.
0 Kudos
GTM-P2G8KFN